Carnegie Mellon
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
1
14
–
513
18
–
613
Carnegie Mellon
Virtual Memory: Systems
15-213/18-213/14-513/15-513/18-613: Introduction to Computer Systems
18th Lecture, October 29, 2020
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
2
Carnegie Mellon
Announcements Lab 5 (malloclab)
▪ Checkpoint due Thu, Oct. 29, 11:59pm ET Written Assignment 7 peer grading
▪ Due Wed, Nov. 4, 11:59pm ET Written Assignment 8
▪ Due Wed, Nov. 4, 11:59pm ET
Recitation on Malloc Lab (part II)
▪ Mon, Nov. 2. Slides are already posted
U.S. Election Day is Tues, Nov.3
▪ If eligible, go VOTE!
▪ Skip class if need be (NO QUIZ on TUES!)
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
3
Carnegie Mellon
Review: Virtual Memory & Physical Memory
Virtual address
Physical page number or disk address
Physical memory (DRAM)
PP 0
PP 3
VP 1
VP 2
VP 7
VP 4
Valid
PTE 0
0
null
1
1
0
1
0
null
0
1
PTE 7
Virtual memory (disk)
VP 1
VP 2
VP 3
VP 4
VP 6
VP 7
Memory resident
page table
(DRAM)
A page table contains page table entries (PTEs) that map
virtual pages to physical pages.
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
4
Carnegie Mellon
Having multiple levels greatly reduces page table size
Translating with a k-level Page Table
Page table base register (part of the process’ context)
n-1
VIRTUAL ADDRESS
p-1 0
VPN 1
the Level 1 page table
a Level 2 page table
a Level k page table
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
5
VPN 2
…
… …
m-1
p-1 0
PPN
PPO
PHYSICAL ADDRESS
VPN k
VPO
PPN
Carnegie Mellon
Translation Lookaside Buffer (TLB)
A small cache of page table entries with fast access by MMU
2
VPN
TLB
PTE
3
CPU
VA
PA
MMU
14
Data
5
Typically, a TLB hit eliminates the k memory accesses required to do a page table lookup.
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
6
Cache/ Memory
Carnegie Mellon
Recall: Set Associative Cache
E = 2e lines per set
t bits
s bits
b bits
S = 2s sets
Address of word:
CT CI CO
tag index offset
data begins at this offset
valid bit
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
B = 2b bytes per cache block (the data)
7
Steps for a READ:
• Locate set
• Check if any line in set
has matching tag
• Yes + line valid: hit
• Locate data starting
at offset
v
tag
0
1
2
B-1
Carnegie Mellon
Review of Symbols
Basic Parameters
▪ N = 2n : Number of addresses in virtual address space
▪ M = 2m : Number of addresses in physical address space
▪ P = 2p : Page size (bytes)
Components of the virtual address (VA) ▪ TLBI: TLB index
▪ TLBT: TLB tag
▪ VPO: Virtual page offset
▪ VPN: Virtual page number
Components of the physical address (PA) ▪ PPO: Physical page offset (same as VPO)
▪ PPN: Physical page number
▪ CO: Byte offset within cache line
▪ CI: Cache index ▪ CT: Cache tag
(bits per field for our simple example)
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
8
Carnegie Mellon
Today
Simple memory system example
Case study: Core i7/Linux memory system Memory mapping
CSAPP 9.6.4 CSAPP 9.7 CSAPP 9.8
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
9
Carnegie Mellon
Simple Memory System Example
Addressing
▪ 14-bit virtual addresses
▪ 12-bit physical address ▪ Page size = 64 bytes
13 12 11 10 9 8 7 6 5 4 3 2 1 0
VPN VPO
Virtual Page Number Virtual Page Offset
11 10 9 8 7 6 5 4 3 2 1 0 PPN PPO
Physical Page Number
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
10
Physical Page Offset
Carnegie Mellon
Simple Memory System TLB 16 entries
4-way associative
TLBT TLBI
13 12 11 10 9 8 7 6 5 4 3 2 1 0
VPN VPO
VPN = 0b1101 = 0x0D Translation Lookaside Buffer (TLB)
0
0
0
0
1
1
0
1
Set
Tag
PPN
Valid
Tag
PPN
Valid
Tag
PPN
Valid
Tag
PPN
Valid
0
03
–
0
09
0D
1
00
–
0
07
02
1
1
03
2D
1
02
–
0
04
–
0
0A
–
0
2
02
–
0
08
–
0
06
–
0
03
–
0
3
07
–
0
03
0D
1
0A
34
1
02
–
0
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
11
Carnegie Mellon
Simple Memory System Page Table
Only showing the first 16 entries (out of 256)
VPN
PPN
Valid
00
28
1
01
–
0
02
33
1
03
02
1
04
–
0
05
16
1
06
–
0
07
–
0
VPN
PPN
Valid
08
13
1
09
17
1
0A
09
1
0B
–
0
0C
–
0
0D
2D
1
0E
11
1
0F
0D
1
0x0D → 0x2D
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
12
Carnegie Mellon
Simple Memory System Cache
16 lines, 4-byte cache line size
Physically addressed Direct mapped
V[0b00001101101001] = V[0x369] P[0b101101101001] = P[0xB69] = 0x15
CT CI CO 11 10 9 8 7 6 5 4 3 2 1 0
PPN PPO
1
0
1
1
0
1
1
0
1
0
0
1
Idx Idx
Tag Tag
Valid Valid
B0 B0
B1 B1
B2 B2
B3 B3
0 0
19 19
1 1
99 99
11 11
23 23
11 11
1 1
15 15
0 0
– –
– –
– –
– –
2 2
1B 1B
1 1
00 00
02 02
04 04
08 08
3 3
36 36
0 0
– –
– –
– –
– –
4 4
32 32
1 1
43 43
6D 6D
8F 8F
09 09
5 5
0D 0D
1 1
36 36
72 72
F0 F0
1D 1D
6 6
31 31
0 0
– –
– –
– –
– –
7 7
16 16
1 1
11 11
C2 C2
DF DF
03 03
Idx Idx
Tag Tag
Valid Valid
B0 B0
B1
B1
B2 B2
B3 B3
8 8
24 24
1 1
3A 3A
00 00
51 51
89 89
9 9
2D 2D
0 0
– –
– –
– –
– –
A
A
2D
2D
1 1
93 93
15 15
DA DA
3B 3B
B B
0B 0B
0 0
– –
– –
– –
– –
C C
12 12
0 0
– –
– –
– –
– –
D D
16 16
1 1
04 04
96 96
34 34
15 15
E E
13 13
1 1
83 83
77 77
1B 1B
D3 D3
F F
14 14
0 0
– –
– –
– –
– –
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
13
Carnegie Mellon
Address Translation Example Virtual Address: 0x03D4
TLBT TLBI
13 12 11 10 9 8 7 6 5 4 3 2 1 0
VPN VPO
VPN _0_x_0F TLBI _0_x_3 TLBT _0_x_0_3 TLB Hit? _Y_ Page Fault? _N_ PPN: _0_x_0_D TLB
0
0
0
0
1
1
1
1
0
1
0
1
0
0
Set
Tag
PPN
Valid
Tag
PPN
Valid
Tag
PPN
Valid
Tag
PPN
Valid
0
03
–
0
09
0D
1
00
–
0
07
02
1
1
03
2D
1
02
–
0
04
–
0
0A
–
0
2
02
–
0
08
–
0
06
–
0
03
–
0
3
07
–
0
03
0D
1
0A
34
1
02
–
0
Physical Address
11 10 9 8 7 6 5 4 3 2 1 0
PPN PPO
0
0
1
1
0
1
0
1
0
1
0
0
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
14
Carnegie Mellon
Address Translation Example Physical Address
0
0
1
1
0
1
0
1
0
1
0
0
CO __0_ Cache
CT CI CO
11 10 9 8 7 6 5 4 3 2 1 0
PPN PPO
CI_0_x_5 CT _0_x_0_D Hit? _Y_ Byte: _0_x_3_6
Idx
Tag
Valid
B0
B1
B2
B3
0
19
1
99
11
23
11
1
15
0
–
–
–
–
2
1B
1
00
02
04
08
3
36
0
–
–
–
–
4
32
1
43
6D
8F
09
5
0D
1
36
72
F0
1D
6
31
0
–
–
–
–
7
16
1
11
C2
DF
03
Idx
Tag
Valid
B0
B1
B2
B3
8
24
1
3A
00
51
89
9
2D
0
–
–
–
–
A
2D
1
93
15
DA
3B
B
0B
0
–
–
–
–
C
12
0
–
–
–
–
D
16
1
04
96
34
15
E
13
1
83
77
1B
D3
F
14
0
–
–
–
–
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
15
Carnegie Mellon
Address Translation Example: TLB/Cache Miss Virtual Address: 0x0020
TLBT TLBI
13 12 11 10 9 8 7 6 5 4 3 2 1 0
VPN VPO
0x00 0 0x00 N N 0x28 VPN ___ TLBI ___ TLBT ____ TLB Hit? __ Page Fault? __ PPN: ____
Physical Address
CT CI CO
11 10 9 8 7 6 5 4 3 2 1 0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
1
0
1
0
0
0
1
0
0
0
0
0
PPN
PPO
CT ____ Hit? __ Byte: ____
0 0x8
0x28
CO___ CI___
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
Page table
VPN
03
04
05
06
07
PPN
33
02
–
16
–
–
Valid
00
01
02
28
–
1
0
1
1
0
1
0
0 16
Carnegie Mellon
Address Translation Example: TLB/Cache Miss Cache
Idx
Tag
Valid
B0
B1
B2
B3
0
19
1
99
11
23
11
1
15
0
–
–
–
–
2
1B
1
00
02
04
08
3
36
0
–
–
–
–
4
32
1
43
6D
8F
09
5
0D
1
36
72
F0
1D
6
31
0
–
–
–
–
7
16
1
11
C2
DF
03
Idx
Tag
Valid
B0
B1
B2
B3
8
24
1
3A
00
51
89
9
2D
0
–
–
–
–
A
2D
1
93
15
DA
3B
B
0B
0
–
–
–
–
C
12
0
–
–
–
–
D
16
1
04
96
34
15
E
13
1
83
77
1B
D3
F
14
0
–
–
–
–
Physical Address
CT CI CO
11 10 9 8 7 6 5 4 3 2 1 0
PPN PPO
0 0x8 0x28 N Mem CO___ CI___ CT ____ Hit? __ Byte: ____
1
0
1
0
0
0
1
0
0
0
0
0
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
17
Carnegie Mellon
Quiz Time!
Check out:
https://canvas.cmu.edu/courses/17808
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
19
Carnegie Mellon
Today
Simple memory system example
Case study: Core i7/Linux memory system Memory mapping
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
20
Intel Core i7 Memory System Processor package
Carnegie Mellon
Core x4
Registers
Instruction fetch
MMU
(addr translation)
L1 d-cache 32 KB, 8-way
L2 unified cache 256 KB, 8-way
L1 i-cache 32 KB, 8-way
L1 d-TLB
64 entries, 4-way
L2 unified TLB 512 entries, 4-way
L1 i-TLB
128 entries, 4-way
QuickPath interconnect 4 links @ 25.6 GB/s each
L3 unified cache
8 MB, 16-way (shared by all cores)
DDR3 Memory controller
3 x 64 bit @ 10.66 GB/s
32 GB/s total (shared by all cores)
To other cores
To I/O bridge
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
21
Main memory
Carnegie Mellon
End-to-end Core i7 Address Translation
CPU
36 12
32 4
L1 miss
Virtual address (VA)
32/64
L1 hit
VPN
VPO
TLBT
TLBI
TLB hit
L1 d-cache
(64 sets, 8 lines/set)
TLB miss
9999
CR3
Page tables
40 12
L1 TLB (16 sets, 4 entries/set)
VPN1
VPN2
VPN3
VPN4
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
22
Physical address (PA)
L2, L3, and main memory
Result
40 6
6
PTE
PPN
PPO
CT
CI
CO
PTE
PTE
PTE
…
…
Carnegie Mellon
Core i7 Level 1-3 Page Table Entries
6362 5251 1211 9876543210
XD
Unused
Page table physical base address
Unused
G
PS
A
CD
WT
U/S
R/W
P=1
Available for OS (page table location on disk)
P=0
Each entry references a 4K child page table. Significant fields: P: Child page table present in physical memory (1) or not (0).
R/W: Read-only or read-write access access permission for all reachable pages. U/S: user or supervisor (kernel) mode access permission for all reachable pages. WT: Write-through or write-back cache policy for the child page table.
A: Reference bit (set by MMU on reads and writes, cleared by software).
PS: Page size either 4 KB or 4 MB (defined for Level 1 PTEs only).
Page table physical base address: 40 most significant bits of physical page table
address (forces page tables to be 4KB aligned)
XD: Disable or enable instruction fetches from all pages reachable from this PTE.
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
23
Carnegie Mellon
Core i7 Level 4 Page Table Entries
6362 5251 1211 9876543210
XD
Unused
Page physical base address
Unused
G
D
A
CD
WT
U/S
R/W
P=1
Available for OS (page location on disk)
P=0
Each entry references a 4K child page. Significant fields: P: Child page is present in memory (1) or not (0)
R/W: Read-only or read-write access permission for child page
U/S: User or supervisor mode access
WT: Write-through or write-back cache policy for this page
A: Reference bit (set by MMU on reads and writes, cleared by software) D: Dirty bit (set by MMU on writes, cleared by software)
G: Global page (don’t evict from TLB on task switch)
Page physical base address: 40 most significant bits of physical page address
(forces pages to be 4KB aligned)
XD: Disable or enable instruction fetches from this page. Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
24
Carnegie Mellon
Core i7 Page Table Translation
9 9 9 9 12
Virtual address
VPN 1
VPN 2
VPN 3
VPN 4
VPO
L1 PT
Page global directory
L2 PT
Page upper 40 directory
L3 PT
Page middle
40 directory 40
L4 PT
Page table
40
CR3/ / / /
L4 PTE
L2 PTE
L3 PTE
Physical address of L1 PT
Offset into /12 physical and virtual page
L1 PTE
512 GB region per entry
1 GB region per entry
2 MB region per entry
4 KB region per entry
40 /
Physical address of page
40
12
Physical address
PPN
PPO
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
25
Carnegie Mellon
Cute Trick for Speeding Up L1 Access
CT
Tag Check
40 66
CT
CI
CO
Physical address (PA)
Virtual address (VA)
Address Translation
No Change
CI
PPN
PPO
VPN
VPO
36 12
Observation
▪ Bits that determine CI identical in virtual and physical address
▪ Can index into cache while address translation taking place
▪ Generally we hit in TLB, so PPN bits (CT bits) available quickly
▪ “Virtually indexed, physically tagged”
▪ Cache carefully sized to make this possible Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
26
L1 Cache
Carnegie Mellon
Virtual Address Space of a Linux Process
Process-specific data structs (ptables, task and mm structs,
kernel stack)
Physical memory
Kernel code and data
User stack
Memory mapped region for shared libraries
Runtime heap (malloc)
Uninitialized data (.bss)
Initialized data (.data)
Program text (.text)
Different for each process
Identical for each process
%rsp
Kernel virtual memory
0x00400000
brk
Process virtual memory
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
27
0
Carnegie Mellon
Linux Organizes VM as Collection of “Areas”
task_struct
mm_struct
vm_area_struct
Process virtual memory
vm_end
vm_start
vm_prot
vm_flags
vm_next
mm
pgd
mmap
vm_end
vm_start
vm_prot
vm_flags
vm_next
pgd:
▪ Page global directory address ▪ Points to L1 page table
vm_prot:
▪ Read/write permissions for
this area
vm_flags
▪ Pages shared with other
processes or private to this
process
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
0
Each process has own task_struct, etc 28
vm_end
Shared libraries
Data
Text
vm_start
vm_prot
vm_flags
vm_next
Carnegie Mellon
Linux Page Fault Handling
vm_area_struct
Process virtual memory
shared libraries
data
text
vm_end
vm_start
vm_prot
vm_flags
vm_next
1
read
3
read
2
write
Segmentation fault:
accessing a non-existing page
Normal page fault
Protection exception:
e.g., violating permission by writing to a read-only page (Linux reports as Segmentation fault)
vm_end
vm_start
vm_prot
vm_flags
vm_next
vm_end
vm_start
vm_prot
vm_flags
vm_next
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
29
Carnegie Mellon
Today
Simple memory system example
Case study: Core i7/Linux memory system Memory mapping
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
30
Carnegie Mellon
Memory Mapping
VM areas initialized by associating them with disk objects.
▪ Called memory mapping
Area can be backed by (i.e., get its initial values from) : ▪ Regular file on disk (e.g., an executable object file)
▪ Initial page bytes come from a section of a file ▪ Anonymous file (e.g., nothing)
▪ First fault will allocate a physical page full of 0’s (demand-zero page) ▪ Once the page is written to (dirtied), it is like any other page
Dirty pages are copied back and forth between memory and a special swap file.
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
31
Carnegie Mellon
Review: Memory Management & Protection Code and data can be isolated or shared among processes
Address 0 translation
PP 2
PP 6
PP 8
VP 1
VP 2
Virtual Address Space for Process 1:
0
Physical Address Space (DRAM)
(e.g., read-only library code)
…
VP 1
VP 2
Virtual Address Space for Process 2:
N-1
0
…
…
N-1
M-1
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
32
Carnegie Mellon
Sharing Revisited: Shared Objects
Process 1 virtual memory
Physical memory
Process 2 virtual memory
Process 1 maps the shared
object (on disk).
Shared
object
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
33
Carnegie Mellon
Sharing Revisited: Shared Objects
Process 1 virtual memory
Physical memory
Process 2 virtual memory
Process 2 maps the same shared object.
Notice how the virtual addresses can be different.
But, difference must be multiple of page size.
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
34
Shared
object
Carnegie Mellon
Sharing Revisited:
Private Copy-on-write (COW) Objects
Process 1 virtual memory
Physical memory
Process 2 virtual memory
Private copy-on-write area
Two processes mapping a private copy-on-write (COW) object
Area flagged as private copy-on- write
PTEs in private areas are flagged as read-only
Private
copy-on-write object
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
35
Carnegie Mellon
Sharing Revisited:
Private Copy-on-write (COW) Objects
Process 1 virtual memory
Physical Process 2 memory virtual memory
Copy-on-write
Instruction writing to private page triggers protection fault.
Handler creates new R/W page.
Instruction restarts upon handler return.
Copying deferred as long as possible!
36
Write to private copy-on-write
Private
copy-on-write object
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
page
Carnegie Mellon
Finding Shareable Pages
Kernel Same-Page Merging
▪ OS scans through all of physical memory, looking for duplicate pages
▪ When found, merge into single copy, marked as copy-on-write
▪ Implemented in Linux kernel in 2009
▪ Limited to pages marked as likely candidates
▪ Especially useful when processor running many virtual machines
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
37
Carnegie Mellon
User-Level Memory Mapping
void *mmap(void *start, int len,
int prot, int flags, int fd, int offset)
Map len bytes starting at offset offset of the file specified by file description fd, preferably at address start
▪ start: may be 0 for “pick an address”
▪ prot: PROT_READ, PROT_WRITE, PROT_EXEC, …
▪ flags: MAP_ANON, MAP_PRIVATE, MAP_SHARED, …
Return a pointer to start of mapped area (may not be start)
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
38
Carnegie Mellon
User-Level Memory Mapping
void *mmap(void *start, int len,
int prot, int flags, int fd, int offset)
len bytes offset
len bytes start
(or address chosen by kernel)
(bytes)
0
Disk file specified by
0
file descriptor fd
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
39
Process virtual memory
Carnegie Mellon
Uses of mmap Reading big files
▪ Uses paging mechanism to bring files into memory
Shared data structures
▪ When call with MAP_SHARED flag
▪ Multiple processes have access to same region of memory ▪ Risky!
File-based data structures ▪ E.g., database
▪ Give prot argument PROT_READ | PROT_WRITE
▪ When unmap region, file will be updated via write-back
▪ Can implement load from file / update / write back to file
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
40
Carnegie Mellon
Example: Using mmap to Support Attack Lab Problem
Want students to be able to perform code injection attacks
Shark machine stacks are not executable Solution
Suggested by Sam King (now at UC Davis)
Use mmap to allocate region of memory marked executable Divert stack to new region
Execute student attack code
Restore back to original stack
Remove mapped region
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
41
Carnegie Mellon
Using mmap to Support Attack Lab Memory
Kernel virtual memory
User stack (created at runtime)
Memory-mapped region for shared libraries
Run-time heap (created by malloc)
Read/write segment (.data, .bss)
Read-only segment (.init, .text, .rodata)
Unused
invisible to user code
%rsp
(stack pointer)
0x40000000
0
42
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
Carnegie Mellon
Using mmap to Support Attack Lab Memory
Kernel virtual memory
User stack (created at runtime)
Memory-mapped region for shared libraries
Region created by mmap
Run-time heap (created by malloc)
Read/write segment (.data, .bss)
Read-only segment (.init, .text, .rodata)
Unused
invisible to user code
%rsp
(stack pointer)
0x55586000
0x40000000
0
43
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
0x55586000
Carnegie Mellon
Using mmap to Support Attack Lab Memory
Kernel virtual memory
User stack (created at runtime)
Memory-mapped region for shared libraries
Region created by mmap
Run-time heap (created by malloc)
Read/write segment (.data, .bss)
Read-only segment (.init, .text, .rodata)
Unused
invisible to user code
%rsp
(stack pointer)
Frame for launch
Frame for test
Frame for getbuf
0x55586000
0x40000000
0
44
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
0x55586000
Carnegie Mellon
Using mmap to Support Attack Lab Memory
Kernel virtual memory
User stack (created at runtime)
Memory-mapped region for shared libraries
Run-time heap (created by malloc)
Read/write segment (.data, .bss)
Read-only segment (.init, .text, .rodata)
Unused
invisible to user code
%rsp
(stack pointer)
0x40000000
0
45
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
Carnegie Mellon
Summary
VM requires hardware support ▪ Exception handling mechanism
▪ TLB
▪ Various control registers
VM requires OS support ▪ Managing page tables
▪ Implementing page replacement policies ▪ Managing file system
VM enables many capabilities ▪ Loading programs from memory ▪ Providing memory protection
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
46
Carnegie Mellon
Using mmap to Support Attack Lab Allocate new region
void *new_stack = mmap(START_ADDR, STACK_SIZE, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_PRIVATE | MAP_GROWSDOWN | MAP_ANONYMOUS | MAP_FIXED,
0, 0);
if (new_stack != START_ADDR) {
munmap(new_stack, STACK_SIZE);
exit(1); }
Divert stack to new region & execute attack code Restore stack and remove region
stack_top = new_stack + STACK_SIZE – 8; asm(“movq %%rsp,%%rax ; movq %1,%%rsp ; movq %%rax,%0”
: “=r” (global_save_stack) // %0
: “r” (stack_top) // %1 );
launch(global_offset);
Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition
47
asm(“movq %0,%%rsp” :
: “r” (global_save_stack) // %0 );
munmap(new_stack, STACK_SIZE);